← LNC Professional

Privacy Policy

LNC Professional

Your trust matters. Here is how we handle your information, in plain language.

Last updated: 18 July 2026


Who we are

LNC Professional is the trading name of LNC NSI Barbados SRL ("LNC Professional", "we", "us", "our"), a Society with Restricted Liability formed under the Barbados Societies with Restricted Liability Act. We supply professional nail products to nail technicians, nail students, salon owners, resellers and distributors around the world through our website lncpronails.com and through direct enquiries.

We are the controller of the personal information described in this policy. That means we decide what is collected and why, and we are the ones you hold accountable for it.

Registered entity: LNC NSI Barbados SRL, trading as LNC Professional

Home jurisdiction: Barbados. Our processing is governed in the first instance by the Barbados Data Protection Act 2019, and we also honour the standards described in this policy for customers elsewhere.

Our people. Your information may be seen by our staff and by staff of our group companies, who act for us and are bound by the same obligations.

How to reach us about your data:

If you write to us about your personal information, please put "Data request" in the subject line so it reaches the right person quickly.

Data protection contact: email info@lncpronails.com or message us on WhatsApp at +1 562 548 7272. Both reach the people responsible for privacy enquiries.


Who this policy covers

This policy covers everyone whose personal information we hold: people who fill in a form on our website, message us on WhatsApp, Messenger or Instagram, email us, place an order, or apply to become a reseller or distributor.

We sell business to business. Even so, the people we deal with are individuals, and their personal information is protected in the same way. A business contact detail is still personal data when it identifies a person.


What we collect

When you fill in our lead or enquiry form, or message us:

When you order from us or correspond with us:

When you message us on WhatsApp, Facebook Messenger or Instagram Direct:

When you visit our website:

What we do not collect: we do not ask for, and do not want, sensitive categories of information such as health data, religious or political beliefs, or biometric data. Please do not send them to us.

Payment details: payments are handled by third-party payment processors. We never see or store your card details, and card data does not reach LNC Professional systems at any point.


Why we use it, and our lawful basis for each purpose

We only use your information for the reasons below. "Lawful basis" is the legal justification we rely on, which regulators can ask us to demonstrate.

What we doWhyLawful basis
Reply to your enquiry, quote you, and answer product questionsSo we can actually help youSteps taken at your request before entering a contract, or our legitimate interest in responding to business enquiries
Process and deliver your order, and handle returnsTo fulfil what you boughtPerformance of a contract with you
Route your order to the right fulfilment hubSo your order ships from the nearest locationPerformance of a contract with you
Assess reseller and distributor applicationsTo decide who we can supplySteps taken before entering a contract, and our legitimate interest in running a trade channel responsibly
Send you marketing emails and offersTo tell you about products, training and promotionsYour consent, which you can withdraw at any time
Keep a record of the consent you gaveSo we can prove we asked properlyLegal obligation and our legitimate interest in being accountable
Measure which advertisements bring genuine enquiriesSo we do not waste money advertising to the wrong peopleYour consent for advertising cookies and the Meta Pixel, and our legitimate interest in understanding our own campaigns
Keep our systems and accounts secure, and prevent fraudTo protect you and usOur legitimate interest in security, and legal obligation where applicable
Keep accounting and tax recordsBecause we have toLegal obligation

Where we rely on legitimate interests, we have thought about whether our interest is outweighed by your privacy. You can ask us to explain our reasoning, and you can object (see "Your rights" below).


An AI assistant reads and answers our messages

We want to be straightforward about this, because you deserve to know who, or what, you are talking to.

When you message us on WhatsApp, Facebook Messenger or Instagram Direct, your message is handled in the first instance by an automated AI assistant called Lilly. Lilly is software, not a person. Lilly reads the content of your message, works out what you are asking for, and drafts or sends a reply. Our human team oversees Lilly's work and steps in to take over conversations.

What this means in practice:

Lilly does not make decisions that produce legal effects for you or similarly significantly affect you. She answers questions, shares product information, and passes enquiries to our team. Pricing, credit terms and distributor approvals are decided by people, not by Lilly.

AI service providers: message content is processed by AI service providers in the United States and the European Union, acting on our instructions and only to draft a reply to you.


Who we share it with

We do not sell your personal information. We have never done so and we do not intend to.

We share it only with service providers who help us run the business, and only for that purpose. They act on our instructions and are bound by contract. The ones we use today are:

ProviderWhat they do for usWhere they process data
BrevoMarketing and transactional emailEuropean Union
ChatwootOur chat inbox, where WhatsApp, Messenger and Instagram messages arriveSelf-hosted by us on our own infrastructure, see below
Meta PlatformsAdvertising, the Meta Pixel, and the Facebook, Instagram and WhatsApp messaging channelsGlobal, primarily United States and Ireland
CloudflareWebsite hosting, content delivery and securityGlobal edge network
AirtableOur records of enquiries and ordersUnited States
HetznerThe servers running our self-hosted database and applicationsGermany (Nuremberg and Falkenstein)

We also share information with:

And where we genuinely have to:

Your use of Facebook, Instagram and WhatsApp is also governed by the privacy policies of Meta Platforms, Inc. We do not control what Meta does with data you give directly to Meta.


Sending information across borders

We are based in Barbados, and we ship worldwide from four fulfilment locations. We route each order to the one that can get it to you fastest. Not all of them are ours, and the difference matters, so here it is:

LocationWho runs itWhat that means for your data
United StatesFulfilment provider
Central America (Panama)An independent third-party logistics vendor, not a company we ownYour delivery details are passed to an outside company acting as our processor, under contract
Middle East (Dubai and Jordan), serving Africa and the MENA regionFulfilment provider
Southeast Asia (Malaysia)Fulfilment provider

We also work with our own group companies in Hong Kong and Guyana, and some products ship from the United States.

So your name, contact details and delivery information will be sent to whichever location is handling your order, and to the carrier delivering it. Our service providers listed above also operate internationally. Your information will cross borders. There is no way to run a global supply business otherwise, and we would rather say so plainly than bury it.

Where the Panama hub is concerned, we want to be especially clear. That hub is an outside company. It is not part of our group. It receives your delivery information because it packs and ships your order, and for no other reason. It is bound by a written contract that limits it to acting on our instructions, and it is not permitted to use your information for its own purposes.

Some of the countries involved do not have privacy laws that a Barbadian, European, British or Nigerian regulator would call "adequate". Where that is the case, we rely on one or more of the following safeguards:

Where your data actually sits. Our servers and our email provider are in the European Union. When you place an order we share only the delivery details needed to get your parcel to you with the fulfilment provider for your region, and only for that purpose.

You can ask us for details of the safeguards that apply to your information by emailing info@lncpronails.com.


How long we keep it

We keep personal information only as long as we have a reason to.

InformationHow long we keep itWhy
Enquiries that did not become orders24 months from your last contact with usSo we can pick up a conversation you started
Customer and order records5 years from the end of the financial year the record relates to, as required by Barbados tax lawLegal and tax obligation
Marketing consent recordsfor as long as we market to you, plus 24 months afterwardsTo prove we had your permission
Chat conversations, including AI-handled messages24 monthsCustomer service history and quality review
Website and pixel dataSee the Cookie Policy

When the period ends, we delete the information or anonymise it so it can no longer identify you.

Note: the retention periods above are proposals, not commitments, until counsel confirms the statutory minimums that apply to LNC NSI Barbados SRL under Barbados law Publishing a period we cannot honour is worse than publishing none.


Your rights

Wherever you live, we will honour the following. Some of these are guaranteed to you by law under the Barbados Data Protection Act 2019, which is the law of our home jurisdiction, and under the EU and UK GDPR, Nigeria's Data Protection Act, California's privacy laws, and the data protection laws of a growing number of CARICOM states. We apply them to everyone rather than sorting people by passport.

How to exercise a right: email info@lncpronails.com or message +1 562 548 7272. We will ask a couple of questions to confirm it is really you, because handing your data to the wrong person would be the worse mistake. We will not ask for more identification than we need.

How long we take: we aim to respond within 30 days. If your request is complicated we may need longer, and we will tell you why before the 30 days are up.

If you are not happy with how we handled it, you can complain to your data protection regulator. Depending on where you are, that may be:

We would rather you came to us first, but you do not have to.


How you can stop the marketing

Every marketing email we send has an unsubscribe link, and it works. You can also just tell us on WhatsApp or by email and we will take you off the list. We do not send unsolicited messages, and we do not add people to our marketing list who did not ask to be there.


How we keep it safe

We take security seriously and we do the following:

No system anywhere is perfectly secure, and anyone who tells you otherwise is selling something. If a security breach ever puts your information at real risk, we will tell the relevant regulator within the time the law allows, and we will tell you directly and plainly where the law requires it or where you would want to know.

Certifications: we make no claim to hold any security certification. If we obtain one, we will say so here.


Children

Our products are professional supplies sold to adults in a trade. Our website and our services are not intended for anyone under 18, and we do not knowingly collect information from children.

If you believe a child has given us their information, email info@lncpronails.com and we will delete it.


Cookies and the Meta Pixel

Our website uses cookies and the Meta Pixel. These are covered in a separate document, our Cookie Policy, which explains what each one does, how long it lasts, and how to turn the optional ones off.


Automated processing

Two things on our side are automated, and we want both on the record:

  1. The AI assistant, Lilly, described above, reads and replies to your chat messages.
  2. The Meta Pixel helps Meta's advertising systems decide who sees our advertisements. That is profiling for advertising purposes, and it runs only if you consent to advertising cookies.

Neither of these makes a decision about you that has a legal effect or a similarly significant effect. We do not use automated systems to approve or refuse credit, to set your prices, or to decide whether you can be a distributor. People make those calls.

If you ever believe an automated process has produced an outcome you want reviewed, email us and a human will look at it.


Changes to this policy

If we change this policy we will update the date at the top. If the change is significant, for example a new purpose for your information or a new category of recipient, we will tell you directly rather than quietly editing the page.


Questions

Questions about your data? Email info@lncpronails.com or message +1 562 548 7272. A person will answer.



Placeholder summary

Every item below needs a real answer before this policy can be published. Nothing here has been invented.

#PlaceholderWhat is neededWho decides
1Last updated dateThe date of approval and publicationProprietor
2Registered office addressFull registered office address in BarbadosProprietor
3SRL registration numberThe Barbados society registration numberProprietor
3aSubsidiary registered namesExact registered names of the Hong Kong and Guyana subsidiariesProprietor
3bFulfilment location ownershipFor the US, Middle East and Malaysia hubs, confirm group-operated or third-party vendor. Panama is confirmed as a third-party vendorProprietor
3cPanama vendor processor contractConfirm a signed data processing agreement exists with the Panama 3PL, and whether the vendor is named in the policyProprietor, then counsel
4Data protection contactA name or a role title for privacy enquiries. GDPR Article 13 and the NDPA both expect a contact pointProprietor
5Payment data handlingConfirm how payments are taken and whether card or bank data ever touches LNC systemsProprietor, then counsel
6AI service provider nameWhich model provider processes chat message content through LillyProprietor, then counsel on whether it must be named publicly
7Brevo processing regionConfirm the region Brevo processes inProprietor or technical team
8Hetzner regionGermany, Finland or United StatesTechnical team
9Transfer safeguardsWhich mechanism actually exists for each fulfilment hub and each processor, and whether Standard Contractual Clauses have been signedCounsel. This is the largest open item.
10Retention: enquiriesConfirm or change the proposed 24 monthsProprietor
11Retention: customer and order recordsThe statutory accounting retention minimum under Barbados lawCounsel
12Retention: consent recordsHow long after marketing stopsCounsel
13Retention: chat conversationsConfirm or change the proposed 24 monthsProprietor

Matters that genuinely require a lawyer, stated plainly

These are not placeholders that can be filled by looking something up. They are legal judgment calls, and I am not able to make them.

  1. Does LNC Professional need an EU representative under GDPR Article 27, or a UK representative under UK GDPR? If the business offers goods to people in the EU or UK without being established there, a representative is generally required, and the representative's details must appear in this policy. There is currently no such appointment and none has been assumed. Counsel must decide, and if the answer is yes, this policy needs a new section.
  1. Does the business meet the thresholds that make California's CCPA and CPRA apply? Note the basis carefully: LNC NSI Barbados SRL is not a US company and is not incorporated in the United States. Any US exposure arises from two facts instead, and counsel should reason from those: some products ship from the United States, and the principal is a US citizen. Doing business in California is what triggers the CCPA, not incorporation, so shipping into the state can be enough if the revenue or volume thresholds are met. The rights section has been written to honour CCPA-style rights regardless, which is the safer posture, but formal applicability affects other obligations such as the required "Notice at Collection" and specific homepage link wording.

2a. The Barbados Data Protection Act 2019 is now the home regime and needs its own assessment. It is GDPR-modelled and includes a registration requirement for data controllers and processors with the Data Protection Commissioner. Counsel must confirm the Act's current commencement and enforcement position and whether LNC NSI Barbados SRL is required to register. I am not able to verify the in-force status of specific Barbadian provisions from here, and I will not assume it either way. If registration is required, that is an action item, not just a policy edit.

  1. Nigeria's NDPA. Nigeria is currently the largest source of enquiries. The NDPA has registration obligations for data controllers of major importance and specific requirements around data protection compliance audits. Counsel should assess whether LNC NSI Barbados SRL meets the "major importance" threshold, because that triggers registration with the Nigeria Data Protection Commission.
  1. Whether the AI assistant disclosure is sufficient in every target market. The disclosure written here is honest and prominent, which is the right instinct. Some jurisdictions are moving toward mandatory, specific AI interaction disclosure, and the EU AI Act's transparency obligation for systems interacting with people is the clearest example. Counsel should confirm the wording meets it.
  1. The correct legal characterisation of each fulfilment location. This is now partly answered and partly open. Panama is confirmed as an independent third-party logistics vendor, so it is a processor and requires its own signed data processing agreement plus a transfer mechanism in its own right. The US, Middle East and Malaysia locations are still unconfirmed. Group companies (Hong Kong, Guyana) are a different case again, since intra-group transfers can be covered by binding internal arrangements rather than vendor contracts. Counsel should settle each one, because the contracts required differ in each case.
  1. Whether the Barbados position changes the EU representative analysis. Barbados is not covered by an EU adequacy decision, and a Barbadian controller selling into the EU is exactly the "not established in the Union" scenario Article 27 contemplates. This makes item 1 above more likely to bite, not less. Counsel should treat it as a live question rather than a formality.


Implementation notes

Practical steps to make this policy real rather than decorative.

Live issue on the advertising landing page, needs fixing now

This one is not a future task. It describes the page as it currently runs, while paid traffic is going to it.

The page: api.eiccio.net/eden/v1/lncpro/stock, the landing page Meta traffic ads point to, and the only working route from a paid ad into a WhatsApp conversation with Lilly.

What is wrong with it today:

  1. The Meta Pixel loads unconditionally on page load. It fires before the visitor has been asked anything and regardless of what they would have chosen. There is no consent gate in front of it.
  2. There is no privacy policy link on the page at all. A visitor who lands there from an advertisement has no route to find out what happens to their data.
  3. There is no cookie banner, so there is no consent record for the Pixel and no way for the visitor to decline.

Why it matters more than it looks. Paid traffic is running to this page right now, including to EU-adjacent and Nigerian audiences. Every visit is a live instance of the problem, not a theoretical one. It is also a Meta advertising policy exposure independent of data protection law, because Meta requires advertisers using the Pixel to disclose it and to provide a privacy policy. This page is where the enforcement risk is highest and the fix is cheapest.

What specifically must change before this page is compliant:

Interim position, stated honestly. Until the Pixel is gated, the accurate description of the current state is that advertising cookies are set without consent. Publishing a cookie policy that says optional cookies "only run if you say yes" while this page fires the Pixel on load would make the policy inaccurate on its first day. Either fix the page before publishing, or publish and fix the page in the same change window. Publishing the policy alone would create a documented gap between what we say and what we do, which is a worse position than the one we are in now.

Where the links must sit

Do we need a cookie consent banner?

Yes. The Meta Pixel makes this unavoidable.

What the form consent checkbox must record to be defensible

A consent record is only worth something if it can answer a regulator's question: "prove this person agreed, and show me exactly what they agreed to." Store all of the following against every lead, in the PostgreSQL record and mirrored to Airtable:

  1. Timestamp of the submission, in UTC, with timezone recorded.
  2. The exact consent wording shown, stored verbatim, or a version identifier pointing to an immutable copy of that wording. If the wording changes later, old records must still show what the old wording said.
  3. Which boxes were ticked, stored separately. Marketing consent and the enquiry submission are two different things and must never share one checkbox.
  4. The unticked default. Pre-ticked boxes are invalid consent under the GDPR. The stored record should reflect an affirmative action by the person.
  5. The page or URL the form was submitted from.
  6. The ad campaign identifier the lead arrived from, which is already being captured.
  7. The IP address at submission, or a truncated form of it, as evidence of the act. Keep this for the consent proof period only.
  8. The consent version of the privacy policy in force at that moment.

Two operational rules that make the record hold up: